91d8e570cb066a6f1071f8317582dce171f02b6b251b1f3ae0c05c3daed1cf76

Analysis

max time kernel
149s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-10-2024 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ToDesk_Win_6.5.3.msi
Size

106.3MB
MD5

c35a739a215927552c93499d6c8d8665
SHA1

0e6241f007f00d461d39ec5940eb9535b73ffd61
SHA256

91d8e570cb066a6f1071f8317582dce171f02b6b251b1f3ae0c05c3daed1cf76
SHA512

f51242cdf99849ad9b54c529670aea3eb2a18c65b8b26474c4f1645f55bda1efed9fd64e10debc1f37886b0f5338092a97e2d99b4dc17368bb21be8525ec731b
SSDEEP

3145728:b5VQYFW8BWuesWnkksidfvCDagHKABtUUYOSZ:dVK8teiwndgqstU

Score

7^/10

discovery persistence privilege_escalation upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0008000000023560-279.dat	acprotect

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2708-253-0x0000000002E30000-0x0000000002EBB000-memory.dmp	upx
behavioral2/files/0x0008000000023560-279.dat	upx
behavioral2/memory/552-283-0x0000000074D40000-0x0000000074DFA000-memory.dmp	upx
behavioral2/memory/4224-311-0x0000000002C90000-0x0000000002D1B000-memory.dmp	upx
behavioral2/memory/4224-314-0x0000000002C90000-0x0000000002D1B000-memory.dmp	upx
behavioral2/memory/4224-316-0x00000000033B0000-0x00000000033E3000-memory.dmp	upx
behavioral2/memory/552-323-0x0000000074D40000-0x0000000074DFA000-memory.dmp	upx

Drops file in Program Files directory 19 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defenderr\xfTBFyYUvD\_8	MsiExec.exe
File opened for modification	C:\Program Files\Windows Defenderr\xfTBFyYUvD\Log\WsTaskLoad.txt	TaskLoad.exe
File opened for modification	C:\Program Files\Windows Defenderr\xfTBFyYUvD\WsTaskLoad.exe	TaskLoad.exe
File created	C:\Program Files\Windows Defenderr\xfTBFyYUvD\FourierTransformLib8.dll	MsiExec.exe
File created	C:\Program Files\Windows Defenderr\xfTBFyYUvD\ImageRestoreLib8.dll	MsiExec.exe
File created	C:\Program Files\Windows Defenderr\xfTBFyYUvD\wavelet_3_8.dll	MsiExec.exe
File created	C:\Program Files\Windows Defenderr\xfTBFyYUvD\COMSupport.dll	MsiExec.exe
File opened for modification	C:\Program Files\Windows Defenderr\xfTBFyYUvD\Log\WsTaskLoad.txt	WsTaskLoad.exe
File opened for modification	C:\Program Files\Windows Defenderr\xfTBFyYUvD\dll1.dll	TaskLoad.exe
File opened for modification	C:\Program Files\Windows Defenderr\xfTBFyYUvD\ImageRestoreLib8.dll	TaskLoad.exe
File opened for modification	C:\Program Files\Windows Defenderr\xfTBFyYUvD\wavelet_3_8.dll	TaskLoad.exe
File created	C:\Program Files\Windows Defenderr\xfTBFyYUvD\WS_Log.dll	MsiExec.exe
File opened for modification	C:\Program Files\Windows Defenderr\xfTBFyYUvD\WS_Log.dll	MsiExec.exe
File created	C:\Program Files\Windows Defenderr\xfTBFyYUvD\dll1.dll	MsiExec.exe
File created	C:\Program Files\Windows Defenderr\xfTBFyYUvD\WsTaskLoad.exe	MsiExec.exe
File opened for modification	C:\Program Files\Windows Defenderr\xfTBFyYUvD\COMSupport.dll	TaskLoad.exe
File opened for modification	C:\Program Files\Windows Defenderr\xfTBFyYUvD\FourierTransformLib8.dll	TaskLoad.exe
File opened for modification	C:\Program Files\Windows Defenderr\xfTBFyYUvD\_8	TaskLoad.exe
File opened for modification	C:\Program Files\Windows Defenderr\xfTBFyYUvD\WS_Log.dll	TaskLoad.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI88C4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{7F62554D-A190-4612-BDF1-63466F97E94C}	msiexec.exe
File created	C:\Windows\Installer\{7F62554D-A190-4612-BDF1-63466F97E94C}\ToDesk.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\e5886fe.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8913.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI8C60.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{7F62554D-A190-4612-BDF1-63466F97E94C}\ToDesk.exe	msiexec.exe
File created	C:\Windows\Installer\e5886fe.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI87A9.tmp	msiexec.exe

Executes dropped EXE 3 IoCs

pid	Process
2708	WsTaskLoad.exe
4224	TaskLoad.exe
552	ToDesks.exe

Loads dropped DLL 22 IoCs

pid	Process
3820	MsiExec.exe
3820	MsiExec.exe
3820	MsiExec.exe
3820	MsiExec.exe
3820	MsiExec.exe
3820	MsiExec.exe
3820	MsiExec.exe
4076	MsiExec.exe
4076	MsiExec.exe
4076	MsiExec.exe
2708	WsTaskLoad.exe
2708	WsTaskLoad.exe
2708	WsTaskLoad.exe
2708	WsTaskLoad.exe
4224	TaskLoad.exe
4224	TaskLoad.exe
4224	TaskLoad.exe
4224	TaskLoad.exe
3820	MsiExec.exe
552	ToDesks.exe
552	ToDesks.exe
552	ToDesks.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
3216	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ToDesks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WsTaskLoad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TaskLoad.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000096fabf83e47a2dea0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000096fabf830000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090096fabf83000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d96fabf83000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000096fabf8300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	TaskLoad.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	TaskLoad.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WsTaskLoad.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WsTaskLoad.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows Script\Settings\JITDebug = "0"	MsiExec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
4260	msiexec.exe
4260	msiexec.exe
2708	WsTaskLoad.exe
2708	WsTaskLoad.exe
4224	TaskLoad.exe
4224	TaskLoad.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3216	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3216	msiexec.exe
Token: SeSecurityPrivilege	4260	msiexec.exe
Token: SeCreateTokenPrivilege	3216	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3216	msiexec.exe
Token: SeLockMemoryPrivilege	3216	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3216	msiexec.exe
Token: SeMachineAccountPrivilege	3216	msiexec.exe
Token: SeTcbPrivilege	3216	msiexec.exe
Token: SeSecurityPrivilege	3216	msiexec.exe
Token: SeTakeOwnershipPrivilege	3216	msiexec.exe
Token: SeLoadDriverPrivilege	3216	msiexec.exe
Token: SeSystemProfilePrivilege	3216	msiexec.exe
Token: SeSystemtimePrivilege	3216	msiexec.exe
Token: SeProfSingleProcessPrivilege	3216	msiexec.exe
Token: SeIncBasePriorityPrivilege	3216	msiexec.exe
Token: SeCreatePagefilePrivilege	3216	msiexec.exe
Token: SeCreatePermanentPrivilege	3216	msiexec.exe
Token: SeBackupPrivilege	3216	msiexec.exe
Token: SeRestorePrivilege	3216	msiexec.exe
Token: SeShutdownPrivilege	3216	msiexec.exe
Token: SeDebugPrivilege	3216	msiexec.exe
Token: SeAuditPrivilege	3216	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3216	msiexec.exe
Token: SeChangeNotifyPrivilege	3216	msiexec.exe
Token: SeRemoteShutdownPrivilege	3216	msiexec.exe
Token: SeUndockPrivilege	3216	msiexec.exe
Token: SeSyncAgentPrivilege	3216	msiexec.exe
Token: SeEnableDelegationPrivilege	3216	msiexec.exe
Token: SeManageVolumePrivilege	3216	msiexec.exe
Token: SeImpersonatePrivilege	3216	msiexec.exe
Token: SeCreateGlobalPrivilege	3216	msiexec.exe
Token: SeCreateTokenPrivilege	3216	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3216	msiexec.exe
Token: SeLockMemoryPrivilege	3216	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3216	msiexec.exe
Token: SeMachineAccountPrivilege	3216	msiexec.exe
Token: SeTcbPrivilege	3216	msiexec.exe
Token: SeSecurityPrivilege	3216	msiexec.exe
Token: SeTakeOwnershipPrivilege	3216	msiexec.exe
Token: SeLoadDriverPrivilege	3216	msiexec.exe
Token: SeSystemProfilePrivilege	3216	msiexec.exe
Token: SeSystemtimePrivilege	3216	msiexec.exe
Token: SeProfSingleProcessPrivilege	3216	msiexec.exe
Token: SeIncBasePriorityPrivilege	3216	msiexec.exe
Token: SeCreatePagefilePrivilege	3216	msiexec.exe
Token: SeCreatePermanentPrivilege	3216	msiexec.exe
Token: SeBackupPrivilege	3216	msiexec.exe
Token: SeRestorePrivilege	3216	msiexec.exe
Token: SeShutdownPrivilege	3216	msiexec.exe
Token: SeDebugPrivilege	3216	msiexec.exe
Token: SeAuditPrivilege	3216	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3216	msiexec.exe
Token: SeChangeNotifyPrivilege	3216	msiexec.exe
Token: SeRemoteShutdownPrivilege	3216	msiexec.exe
Token: SeUndockPrivilege	3216	msiexec.exe
Token: SeSyncAgentPrivilege	3216	msiexec.exe
Token: SeEnableDelegationPrivilege	3216	msiexec.exe
Token: SeManageVolumePrivilege	3216	msiexec.exe
Token: SeImpersonatePrivilege	3216	msiexec.exe
Token: SeCreateGlobalPrivilege	3216	msiexec.exe
Token: SeCreateTokenPrivilege	3216	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3216	msiexec.exe
Token: SeLockMemoryPrivilege	3216	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3216	msiexec.exe
3216	msiexec.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
552	ToDesks.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 3820	4260	msiexec.exe	84
PID 4260 wrote to memory of 3820	4260	msiexec.exe	84
PID 4260 wrote to memory of 3820	4260	msiexec.exe	84
PID 4260 wrote to memory of 5052	4260	msiexec.exe	98
PID 4260 wrote to memory of 5052	4260	msiexec.exe	98
PID 4260 wrote to memory of 4076	4260	msiexec.exe	100
PID 4260 wrote to memory of 4076	4260	msiexec.exe	100
PID 4260 wrote to memory of 4076	4260	msiexec.exe	100
PID 4260 wrote to memory of 4456	4260	msiexec.exe	101
PID 4260 wrote to memory of 4456	4260	msiexec.exe	101
PID 4260 wrote to memory of 4456	4260	msiexec.exe	101
PID 4456 wrote to memory of 2708	4456	MsiExec.exe	103
PID 4456 wrote to memory of 2708	4456	MsiExec.exe	103
PID 4456 wrote to memory of 2708	4456	MsiExec.exe	103
PID 2708 wrote to memory of 4224	2708	WsTaskLoad.exe	104
PID 2708 wrote to memory of 4224	2708	WsTaskLoad.exe	104
PID 2708 wrote to memory of 4224	2708	WsTaskLoad.exe	104

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\ToDesk_Win_6.5.3.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3216

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding FC385C06BE63AD7EAA1941F3CA53B086 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3820
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:5052
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding CF990E92B8F9806E19A50A7E71F03833
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4076
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9465987787524D753E841B0B05480606 E Global\MSI0000
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:4456
- - C:\Program Files\Windows Defenderr\xfTBFyYUvD\WsTaskLoad.exe
    "C:\Program Files\Windows Defenderr\xfTBFyYUvD\WsTaskLoad.exe"
    3⤵
    - Drops file in Program Files directory
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2708
  - - C:\Users\Public\Documents\TaskLoad.exe
      C:\Users\Public\Documents\TaskLoad.exe
      4⤵
      Drops file in Program Files directory
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious behavior: EnumeratesProcesses
      PID:4224

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:2364

C:\Users\Admin\AppData\Roaming\ToDiskstinstall\ToDesks.exe
"C:\Users\Admin\AppData\Roaming\ToDiskstinstall\ToDesks.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5886ff.rbs

Filesize
37KB

MD5
355a3bc03b7f88ed4184a6acee097866

SHA1
c0c6a0f57852f47656e9eb897c1f2b9fc898f567

SHA256
33b4e67552982779e82ab05a1d0207b9b24eeb78b5dda7e26ff2c207e8621fe6

SHA512
b2936242f228bca214c04cc92a2e748397de674940f74acb25a39f8b231681d911271bdce3f2993f741e6a793f4dc1d06b0aa6dc9de4e4b3c4e680d726a1d719

Download Submit
C:\Config.Msi\e588700.rbf

Filesize
2KB

MD5
39e0fa48c79a800de3e7f49c9b6bdeea

SHA1
9f80d71705f8c1f558dd2e099de475f664429685

SHA256
08cf31b952d409140f65f313f12b1fb33caffeb69090966195e4934969267942

SHA512
f72fdb77291c7b469ed437994af46e7eb247dd3ec92677934b37ef9b516a482e55398b426b3a457817cb815863332d8fe8600fd28bade58d634d188fb5bbd812

Download Submit
C:\ProgramData\1

Filesize
2.0MB

MD5
faf4a129b091a57c3ff694dc721d4f3b

SHA1
7430935f501164b46b99766ed9ab68da0db50c24

SHA256
b1d13ed7409ca47f47d200f6b26d8da6a07e645ef49ddc9a28486f46bb8c41e7

SHA512
0103d9bfa27c809f978a2ac805e5eb59e07f0f0eef8aecf2713d8af1bff0d54fbc24043435cb67f550d5afdd6f0a2bc5c0026b6e920efe2ad21b619bbfbb0583

Download Submit
C:\ProgramData\11

Filesize
80KB

MD5
4724e6f9188b14931d8f8a4f9013545d

SHA1
980748bc54d4fa2447fb55e14182871255e5cdc5

SHA256
98d776cf0ba9a871b286e3fac2e6b6cd987772cf5407e0699d3a774437105750

SHA512
1e9fdda9b95dcde966cce6f778ec490a14fcd4424bf6b2f7435ab6103e6c01e551ab6317270a09222f7a2d5108af2f539040cf7769ed278d7f1e254cef0afbfd

Download Submit
C:\ProgramData\12

Filesize
92KB

MD5
c839322aae418c0e6fac724147bfdb5c

SHA1
ac5729cb3c834a4030bf442eee3c3860ea3e4d74

SHA256
16c2ecf67fe1478e14507b652f756eb3164875da04a71f2fe906342b5b9404aa

SHA512
07016f13f9ec8183deade4fe260fe9a617a30342fa638acdfa1c767bf3c48d7cbf9cb57b37fc779abd39858446651c44185be9f8f107d09abb59987e90ca22f1

Download Submit
C:\ProgramData\15

Filesize
978KB

MD5
8e945aaf7128bb3db83e51f3c2356637

SHA1
bcc64335efc63cb46e14cc330e105520391e2b00

SHA256
4fcf6394b14e24d830b04209a0ede1dcc911d199740a55d12c8ab8aeabb84073

SHA512
150636eea0cab3e738f5e94ae910d189622fa3221aca1cecc05bf0f5a80f2fab055adeafd99eab7a2a1d3911ff2784cf521a2681e5ddf7737f4363b915b8c2a8

Download Submit
C:\ProgramData\18

Filesize
74KB

MD5
99e32380269ce8bfdfd7809b04e11f9e

SHA1
89664f18e62bf760d7794fa00677c6921c340281

SHA256
96332c7949ce9fa844260237fe02790de788b6045040901aa12ba7e10e6f1e22

SHA512
9f1332f5ef7f514db6e8d2c90f007c3a26f3eb339697419000fe99e12187996dfe29340d6e484ca4814e7613c8ad2a218e1b52ac89a0b5bc08adaed66861a06f

Download Submit
C:\ProgramData\19

Filesize
60KB

MD5
dc7ffc8ad8ff0938cdae79ae89e3be86

SHA1
3374e3ee4b74e724bd1471d6ec101c2648786660

SHA256
5fc31323a83a688bbb3572a3d5e4686e4582336defdaec297fe054850040f8fd

SHA512
dc83c255621a266047f358aa270bbf9019f4866cb6ce9b944ceaa3b99969faad54dd88158322770679bd53344e5db24f4614f2732c1ef7d7cb315b74fc8fdba4

Download Submit
C:\ProgramData\2

Filesize
60KB

MD5
b5d39af334d99660a4d743f1df87d828

SHA1
2faa3e79c987403aefccce01c33673390ca3ff91

SHA256
1a780c0d6c91ff93081c731f61e4ccaeb2cf20bf3f5b9f926f2f2d6dc50c8649

SHA512
319f22c5ebc196299f199946910184a4a40a2452a487889cf5eebfb2dc06d2ff6a988afd76315c1ebdab1f7606ef09cc3bbc839d7b7ddc4e3178f115fe09609f

Download Submit
C:\ProgramData\2

Filesize
60KB

MD5
7a9254cb9d697a26f0d00b02a62f797e

SHA1
35e12aac4d525ba80c807eec8961475c3b212a2c

SHA256
1f93e6c00170e8bfd054724076230afe8adc50d44e2ccaca4dd7cabee948a10a

SHA512
79851f669c4e3ce76950b351a0ca03861b65a2ccee12914b4a266443e33e220ff220ede84215107429e75cf220498cf69d377833b664a55ed88a7e2fb066de66

Download Submit
C:\ProgramData\20

Filesize
176KB

MD5
1a41bd3bca987e64681c4fe35979d3c2

SHA1
fe9dbf79a89180566af4cb802715e5ffb0d15feb

SHA256
ddccf178b0304a7709b3abc4ac408e882254014914941267e63fb3f041918dc1

SHA512
5add5586af12bd93575ce79a3124e702f3843ae6a1e24cf5fb4e7dc87364f357d88a5343e0e48cd3bf8117520e8414177275db4cb14f85d33ef7316ddb8f51e5

Download Submit
C:\ProgramData\4

Filesize
320KB

MD5
c004284a37857e8d538efd3961db8641

SHA1
311d86d8c4b7c7d292bb6074b266303197366815

SHA256
6b4bdb2086da032f946778d2d4a00c11f2be0fc96bc9f875c73d2b588bbd8865

SHA512
19b679647550080ef637bee606a39209ce450d8e845747deae3e0f620ed047c4c98d276daea36da8ebcad7e5bcab87200b2cf9292f89b5d19456be9ee63e2cbb

Download Submit
C:\ProgramData\4

Filesize
320KB

MD5
43603e8c7d088283e32fff8fec3a30af

SHA1
06da7fdd1921d3681fe18ac4d0f70f90af94a7fc

SHA256
68d733f55b07e8f1f058501a80b718325ad55e68bb9cc9c027d86df89f111cd6

SHA512
35acdfba023d55c4195811ee52d6dc8bbc0755db029bdaf20a4ae1900e9dd8cda747b8d32bb62380a83be50240be141c894c32b4cca48fa60d4b244c8be62217

Download Submit
C:\ProgramData\a10

Filesize
36KB

MD5
f0284892937a97caa61afcd3b6ddb6d4

SHA1
f3c308e7e4aaa96919882994cdd21cc9f939cabd

SHA256
2514913f8a6f4671a058304651289b0babe47d81c044212b3140ed1c1b643b09

SHA512
058845e0a9a5892a69f24f3a77086e3f9546493ad40a0e5359aed05cf8882a9f3d7aee0449648d5cb76e51530af3e46af59a9b196cc92318334116c92dde4171

Download Submit
C:\ProgramData\a3

Filesize
18B

MD5
649e9fcedeb36cf2c6945495ef205fc8

SHA1
9d05226cfd2c886f21049917287412f238a47cbe

SHA256
22f6b408559e682270f60ccad51f39f2c56024d4f7c36b339ea089578e7f8775

SHA512
4b89fcfd4cc99fba0c3bcdbd8914f25f5c5e23fb8ab475632cf01abf6172eeaad9db2bcfc8c6ac9412ab53644fb5baf7b5a01708f260057d8b841b8423bedf01

Download Submit
C:\ProgramData\a5

Filesize
56B

MD5
6f10d76e583b39191028ab57f8edbed9

SHA1
fbaa6e99f3a88d1e4cd606ca45debed661135c1d

SHA256
847f6e3577892365fadc94648eabdde48b9660590ba109e8387a9cb984aee476

SHA512
17a2f133b321fb9ac992e03da4ada3b3e5f1e507c7656d287ea00efddc50885c9ea9f337dd6b8cd52015060b4f0f4fc7832a7a3603ed5a3b498d8da47916743c

Download Submit
C:\ProgramData\a6

Filesize
200KB

MD5
078c21b8c91b86999427aa349cf5decf

SHA1
b939376eaebcf6994890db24ddcb2380c1925188

SHA256
ed2c6bc3e77a404b8cf61176844ad19c1fdcae19881206631e3f0831a4bd919a

SHA512
a006a36fdcaf4c2403238475163553ba2fe7783fea200f28df46ea980a3907d2b24c854153b45b730195a133fcb28f60c157f33c865ea286ad8c354981cf5885

Download Submit
C:\ProgramData\a7

Filesize
501KB

MD5
e7c15521a6b5cdf2975086e08c5154aa

SHA1
39af4456d3bcf5e98e1db39dec6527a3f44c51db

SHA256
75b6768af07082a3957228cc4406dea6725e223c0452d71d971a607a0d05ac8d

SHA512
7392e685f0eb212dc3941bc1a0560ab505c68a313d6debbc0af9a432fd8a72eb01d4457356e4d846f9697f47acc5c14d1c06884e331e9f8449b4d1ce9b06f7a6

Download Submit
C:\ProgramData\a8

Filesize
21KB

MD5
da08e194f9a7045dbb19f6e5d5d7f609

SHA1
7884062382bf1e7911f7e74198ca9fecec159c61

SHA256
9bd52ec7e7750500de33df995fcc7e68ed1da70d125579cf76ae8f787577ef75

SHA512
46720cd0677064b00a9e253953b8b6cd5141a99d0090ff0d7c4a24b830ca621878bcdfec3c56880f940662bd78f408782231bdd3cb370e06dadfee71e3e2b2b0

Download Submit
C:\ProgramData\a9

Filesize
13KB

MD5
37aa892a6f35bcbe9b01f0a424f5d4f6

SHA1
e5d60e43a8e0a4b7371bd736e21b1a59546774af

SHA256
6feeb95115d7d8a51403996fee1ad219a52151662d3a01a2d17cfb77dbd51f3b

SHA512
a5d5ac494cba18bb5b2582310416dc2e146732ba4f2eddab6611393d61ac0ae839bacae0da1e85f0965575e6d6284b1180e2e3adb924f1e19d2d7586d2abbd83

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID8CC.tmp

Filesize
588KB

MD5
a9941233b9415b479d3b4f3732161eab

SHA1
cb2d99af52b3b1c712943b13e45d85c80c732e57

SHA256
ce34cc14e8d26119e1bf28a3a8368da6e10d13851004e2675976c5ad58b122e2

SHA512
cfd6c425587e5e7c57b6f4655e2a48c871313e2bacf63cc0955ccae1a384610644f26aa76bee0a2a327cd77c2ae7def8ea9cb0c7c7c87fab1c8196bac82037f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA237.tmp\System.dll

Filesize
12KB

MD5
8cf2ac271d7679b1d68eefc1ae0c5618

SHA1
7cc1caaa747ee16dc894a600a4256f64fa65a9b8

SHA256
6950991102462d84fdc0e3b0ae30c95af8c192f77ce3d78e8d54e6b22f7c09ba

SHA512
ce828fb9ecd7655cc4c974f78f209d3326ba71ced60171a45a437fc3fff3bd0d69a0997adaca29265c7b5419bdea2b17f8cc8ceae1b8ce6b22b7ed9120bb5ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA237.tmp\nsNiuniuSkin.dll

Filesize
287KB

MD5
bb0cdff5ac2d64723007a0b4f7962a02

SHA1
410889522ee8ea7308b054f71bc4cab078295e06

SHA256
33e460a080a621cda7896e96b6f1beee802b485cf99e18b27463cd362c484b08

SHA512
b4dc2614f01f5f01d5dec9e6a41e072d01e924d8a94ac0dc1050399fd1dc3cc8d53d7ccf162d750d166fca200771b0850191b30c7caada8edea9ba6d686e2402

Download Submit
C:\Users\Admin\AppData\Local\Temp\nswA237.tmp\skin.zip

Filesize
733KB

MD5
a688762edbfc2813b01c2f4bac29f0bc

SHA1
cb3ec2f392cea50459bdb6f5e8ef14287f31bce5

SHA256
14b1b96b487548735e8b85f66db90887451afdbc14f91039f5f28f0dbafb5c5d

SHA512
f66b1fec18ae09324cac040db5eac353f7ffa489b1acf4255cbe67773e54fad02157793bc2712bd9efdf8d55fc4127a0d8f364a1453376e718dd69bca2f1d833

Download Submit
memory/552-283-0x0000000074D40000-0x0000000074DFA000-memory.dmp

Filesize
744KB

Download
memory/552-323-0x0000000074D40000-0x0000000074DFA000-memory.dmp

Filesize
744KB

Download
memory/2708-253-0x0000000002E30000-0x0000000002EBB000-memory.dmp

Filesize
556KB

Download
memory/2708-247-0x0000000000C20000-0x0000000000C70000-memory.dmp

Filesize
320KB

Download
memory/2708-321-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download
memory/4224-266-0x0000000000970000-0x00000000009C0000-memory.dmp

Filesize
320KB

Download
memory/4224-311-0x0000000002C90000-0x0000000002D1B000-memory.dmp

Filesize
556KB

Download
memory/4224-314-0x0000000002C90000-0x0000000002D1B000-memory.dmp

Filesize
556KB

Download
memory/4224-316-0x00000000033B0000-0x00000000033E3000-memory.dmp

Filesize
204KB

Download
memory/4224-322-0x0000000000400000-0x000000000060E000-memory.dmp

Filesize
2.1MB

Download